White Hat Hacking
Responsible security professionals, pursuing legitimate goals, sometimes worry their actions will violate computer crime laws. Take for instance the Computer Fraud and Abuse Act. It is worded so broadly it could roughly be interpreted to punish unauthorized access to a computer which causes the computer owner a problem.
A recent study explores the potential that white hat security professionals could be prosecuted for probing a web resource without permission of the owner – such as running a vulnerability scanner like Nikto or otherwise testing a Web 2.0 application for security weaknesses. See the Inaugural Report of the CSI Working Group on Web Security Research Law, June 11, 2007.
Good Reason to Probe?
Sometimes reputable professionals have good reason to conduct these kinds of probes. They might be surveilling a phishing site that is stealing passwords from their client’s customers. Or they might be performing a public service to Internet users – in keeping with the time-honored practice by security researchers of testing popular desktop software for weaknesses.
Above-board security professionals can take a number of steps to minimize the risk of breaking the law. In order to commit a crime, a person must have intent to do something wrong. A powerful way to dispel “wrongful intent” is to openly communicate what you are doing and what the justification for it is.
One example: If you are aggressively probing a phishing site, then send or leave a message identifying yourself, saying you have reasons to believe the site is phishing and explaining you are running vulnerability tests, and so on. The message constitutes an exculpatory record.
Announce Yourself in Advance?
Another example: If you are researching a popular Web 2.0 application for the purpose of informing and protecting the public, then do it in the open. Send a message to the site owner identifying yourself, describing the scope and limits of your research, and explaining that you act in the public interest, consistent with the established practice of independent testing of software applications. Give the site owner time to respond. And then blog about what you do and let the public see.
These suggestions stem from the general notion that transparency and open communication are the best means to prevent a good person from being mistaken for a crook.
I grant you, these suggestions are not without controversy. There is more to this topic than I have space for here. And you should not take anything I say in a blog as legal advice or a substitute for counsel from an attorney. We discuss these and related issues in the series of SANS courses I teach on IT security law.
Mr. Wright teaches the law of cyber investigations at the SANS Institute.